OSDOCS-11625:Viewing Network events in Network Observability #85999
Conversation
|
@skrthomas: This pull request references OSDOCS-11625 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
size/M
|
/retest |
|
🤖 Mon Feb 10 20:08:13 - Prow CI generated the docs preview: |
|
@skrthomas: This pull request references OSDOCS-11625 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
d56f3ae to
b111af3
Compare
|
@skrthomas: This pull request references OSDOCS-11625 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
b111af3 to
253646d
Compare
| features: | ||
| - "NetworkEvents" | ||
| ---- | ||
| <1> The `sampling` parameter is set to a value of 1 so that all network events are captured. |
There was a problem hiding this comment.
sampling of 1 is more of recommendation and not a must in case users have resources concerns
| [source,text] | ||
| ---- | ||
| Allowed by admin network policy allow-egress-iperf, direction Egress | ||
| ---- No newline at end of file |
There was a problem hiding this comment.
How I can view the above examples are their link to other doc there is todo ?
There was a problem hiding this comment.
@msherif1234 sorry I thought I posted this comment, but I accidentally started a review instead of adding a single comment. I thought these examples are printed in the Network Events column? You shared this screencapture with me a while ago:
|
u need state this is TP feature and we need a section about network events metrics |
There was a problem hiding this comment.
@skrthomas not sure which OCP version this docs are intended for, but just a note, this feature is only supported for OCP 4.17 and we should mention that cluster must be in TechPreviewNoUpgrade mode (see https://docs.openshift.com/container-platform/4.17/nodes/clusters/nodes-cluster-enabling-features.html#nodes-cluster-enabling-features-cli_nodes-cluster-enabling)
Besides that I have similar comments as @msherif1234 pointed out on showing examples.
|
@skrthomas: This pull request references OSDOCS-11625 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
253646d to
523dc1b
Compare
|
@memodi Thanks Mehul. Unfortunately, I think since this feature is only for 4.17 and 4.18, I'm going to have to re-open this PR against Re: Regarding your question about the example text, what I have shown is meant to be an example of the kinds of text you can see in the Network Events column. I thought that there was a possibility for a variety of messages to print in this field, depending on the type/characteristic of the network event. Are there specific filtering parameters in the UI that will render each of the types of examples I have listed? cc @msherif1234 |
skrthomas
force-pushed
the
OSDOCS-12600
branch
5 times, most recently
from
ddd80a1 to
57254a8
Compare
|
|
||
| .Prerequisites | ||
| * Must have `OVNObservability` enabled by enabling the `TechPreviewNoUpgrade` feature set in the `FeatureGate` CR named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI" in the "Additional resources" of this section. | ||
| * Must have a network policy enabled to see network events for network policy, as shown in the Verification. |
There was a problem hiding this comment.
@memodi @msherif1234 does it help to add to the prerequisites that they must have a network policy enabled to be able to see network policy events?
There was a problem hiding this comment.
Also here's the link I mention in the first prerequisite: https://docs.openshift.com/container-platform/4.18/networking/ovn_kubernetes_network_provider/ovn-kubernetes-troubleshooting-sources.html#nw-ovn-kubernetes-observability_ovn-kubernetes-sources-of-troubleshooting-information
There was a problem hiding this comment.
I removed adjusted the example output in the verification to be more inclusive and flexible for different output scenarios.
I noted that this is a prerequsite in the OVN-K documentation:
You have created at least one of the following network APIs: NetworkPolicy, AdminNetworkPolicy, BaselineNetworkPolicy, UserDefinedNetwork isolation, multicast, or egress firewalls.
I know we were discussing whether or not this should be a prerequisite. Maybe it should, since it is in the OVN-K docs?
There was a problem hiding this comment.
I know we were discussing whether or not this should be a prerequisite. Maybe it should, since it is in the OVN-K docs?
Ok, let's follow them then. My rationale was that you can turn on the feature even without having any policy defined - and the network events still tell you meaningful information by their absence - that there is no policy installed. But let's be consistent with ovnk doc ;-)
|
Example for Metrics covered here: https://github.com/openshift/openshift-docs/pull/87747/files cc @jotak |
skrthomas
force-pushed
the
OSDOCS-12600
branch
2 times, most recently
from
4cbd997 to
3827e7b
Compare
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
3827e7b to
7984fb1
Compare
openshift-ci
bot
added
size/L
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
57ee54b to
7984fb1
Compare
openshift-ci
bot
added
size/M
skrthomas
added
the
peer-review-needed
xenolinux
added
peer-review-in-progress
| :FeatureName: Viewing `NetworkEvents` | ||
| include::snippets/technology-preview.adoc[] | ||
|
|
||
| You use network event tracking in Network Observability to gain insight into OVN-Kubernetes events, including network policies, admin network policies, and egress firewalls. You can use the insights from tracking network events to help with the following: |
There was a problem hiding this comment.
| You use network event tracking in Network Observability to gain insight into OVN-Kubernetes events, including network policies, admin network policies, and egress firewalls. You can use the insights from tracking network events to help with the following: | |
| You use network event tracking in Network Observability to gain insight into OVN-Kubernetes events, including network policies, admin network policies, and egress firewalls. You can use the insights from tracking network events to help with the following events: |
There was a problem hiding this comment.
Hmm I am thinking maybe "tasks" instead of "events"?
| :FeatureName: Viewing `NetworkEvents` | ||
| include::snippets/technology-preview.adoc[] | ||
|
|
||
| You can view information about network traffic events, such as network flows that are dropped or allowed by a `NetworkPolicy``, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `EgressFirewall`, `UserDefinedNetwork` isolation, or Multicast ACLs by editing the `FlowCollector` to the specifications in the following YAML example. |
There was a problem hiding this comment.
| You can view information about network traffic events, such as network flows that are dropped or allowed by a `NetworkPolicy``, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `EgressFirewall`, `UserDefinedNetwork` isolation, or Multicast ACLs by editing the `FlowCollector` to the specifications in the following YAML example. | |
| You can view information about network traffic events, such as network flows that are dropped or allowed by the following resources: | |
| * `NetworkPolicy` | |
| * `AdminNetworkPolicy` | |
| * `BaselineNetworkPolicy` | |
| * `EgressFirewall` | |
| * `UserDefinedNetwork` isolation | |
| * Multicast ACLs by editing the `FlowCollector` to the specifications in the following YAML example. |
- Consider using a bullet list
- Consider expanding ACL
| You can view information about network traffic events, such as network flows that are dropped or allowed by a `NetworkPolicy``, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `EgressFirewall`, `UserDefinedNetwork` isolation, or Multicast ACLs by editing the `FlowCollector` to the specifications in the following YAML example. | ||
|
|
||
| .Prerequisites | ||
| * Must have `OVNObservability` enabled by enabling the `TechPreviewNoUpgrade` feature set in the `FeatureGate` CR named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI" in the "Additional resources" of this section. |
There was a problem hiding this comment.
| * Must have `OVNObservability` enabled by enabling the `TechPreviewNoUpgrade` feature set in the `FeatureGate` CR named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI" in the "Additional resources" of this section. | |
| * You must have `OVNObservability` enabled by setting the `TechPreviewNoUpgrade` feature in the `FeatureGate` custom resource (CR) named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI". |
|
|
||
| .Prerequisites | ||
| * Must have `OVNObservability` enabled by enabling the `TechPreviewNoUpgrade` feature set in the `FeatureGate` CR named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI" in the "Additional resources" of this section. | ||
| * You have created at least one of the following network APIs: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or `EgressFirewall`. |
There was a problem hiding this comment.
| * You have created at least one of the following network APIs: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or `EgressFirewall`. | |
| * You have created at least one of the following network APIs: | |
| ** `NetworkPolicy` | |
| ** `AdminNetworkPolicy` | |
| ** `BaselineNetworkPolicy` | |
| ** `UserDefinedNetwork` isolation | |
| ** multicast | |
| ** `EgressFirewall` |
- Consider using a bullet list for better readability.
There was a problem hiding this comment.
I see your point, but I think I'll leave these since I bulleted them in the introduction.
| . In the web console, navigate to *Operators* -> *Installed Operators*. | ||
| . In the *Provided APIs* heading for the *NetObserv Operator*, select *Flow Collector*. | ||
| . Select *cluster*, and then select the *YAML* tab. | ||
| . Configure the `FlowCollector` custom resource to enable viewing `NetworkEvents`, for example: |
There was a problem hiding this comment.
| . Configure the `FlowCollector` custom resource to enable viewing `NetworkEvents`, for example: | |
| . Configure the `FlowCollector` CR to enable viewing `NetworkEvents`, for example: |
| features: | ||
| - "NetworkEvents" | ||
| ---- | ||
| <1> Optional: The `sampling` parameter is set to a value of 1 so that all network events are captured. If sampling 1 is too resource heavy, set sampling to something more appropriate for your needs. |
There was a problem hiding this comment.
| <1> Optional: The `sampling` parameter is set to a value of 1 so that all network events are captured. If sampling 1 is too resource heavy, set sampling to something more appropriate for your needs. | |
| <1> Optional: The `sampling` parameter is set to a value of `1` so that all network events are captured. If sampling `1` is too resource heavy, set sampling to something more appropriate for your needs. |
Should 1 be in back ticks since it's a parameter's value?
| - "NetworkEvents" | ||
| ---- | ||
| <1> Optional: The `sampling` parameter is set to a value of 1 so that all network events are captured. If sampling 1 is too resource heavy, set sampling to something more appropriate for your needs. | ||
| <2> The `privileged` parameter is set to `true` because the `OVN observability` library needs to access local OVS socket and OVN databases. |
There was a problem hiding this comment.
Instances of OVS/OVN are the first ones, they need expanding --
Open vSwitch (OVS)
OpenShift Virtual Network (OVN)
|
|
||
| .Verification | ||
| . Navigate to the *Network Traffic* view and select the *Traffic flows* table. | ||
| . You should see the new column, *Network Events*, where you can view information about impacts of one of the following network APIs you have enabled: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or egress firewalls. An example of the kind of events you could see in this column is as follows: |
There was a problem hiding this comment.
| . You should see the new column, *Network Events*, where you can view information about impacts of one of the following network APIs you have enabled: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or egress firewalls. An example of the kind of events you could see in this column is as follows: | |
| . You should see the new column, *Network Events*, where you can view information about impacts of one of the following network APIs you have enabled: | |
| * `NetworkPolicy` | |
| * `AdminNetworkPolicy` | |
| * `BaselineNetworkPolicy` | |
| * `UserDefinedNetwork` isolation | |
| * multicast | |
| * egress firewalls | |
| An example of the kind of events you could see in this column is as follows: |
xenolinux
added
peer-review-done
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
7984fb1 to
ca97fa1
Compare
skrthomas
force-pushed
the
OSDOCS-12600
branch
from
ca97fa1 to
9d20ea9
Compare
|
@skrthomas: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Copying this PR to another, as it needs to go to 4.17, 4.18 only and the New PR to be merged: #88408 |
Version(s):
4.17, 4.18
Issue:
https://issues.redhat.com/browse/OSDOCS-12600
Link to docs preview:
Overview: https://85999--ocpdocs-pr.netlify.app/openshift-enterprise/latest/observability/network_observability/observing-network-traffic.html#network-observability-networking-events-overview_nw-observe-network-traffic
Viewing network events: https://85999--ocpdocs-pr.netlify.app/openshift-enterprise/latest/observability/network_observability/observing-network-traffic.html#network-observability-viewing-network-events_nw-observe-network-traffic
QE review:
Additional information: